US20230177202A1 - Privacy aware multi channel data transfer - Google Patents

Privacy aware multi channel data transfer Download PDF

Info

Publication number
US20230177202A1
US20230177202A1 US17/545,372 US202117545372A US2023177202A1 US 20230177202 A1 US20230177202 A1 US 20230177202A1 US 202117545372 A US202117545372 A US 202117545372A US 2023177202 A1 US2023177202 A1 US 2023177202A1
Authority
US
United States
Prior art keywords
data
vehicle
access identifier
random value
entity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US17/545,372
Inventor
Omar Makke
Oleg Gusikhin
Basavaraj Tonshal
Panduranga Chary Kondoju
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ford Global Technologies LLC
Original Assignee
Ford Global Technologies LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ford Global Technologies LLC filed Critical Ford Global Technologies LLC
Priority to US17/545,372 priority Critical patent/US20230177202A1/en
Assigned to FORD GLOBAL TECHNOLOGIES, LLC reassignment FORD GLOBAL TECHNOLOGIES, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MAKKE, OMAR, Kondoju, Panduranga Chary, TONSHAL, BASAVARAJ, GUSIKHIN, OLEG Y.
Priority to CN202211509911.8A priority patent/CN116318774A/en
Priority to DE102022131816.8A priority patent/DE102022131816A1/en
Publication of US20230177202A1 publication Critical patent/US20230177202A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6254Protecting personal data, e.g. for financial or medical purposes by anonymising data, e.g. decorrelating personal data from the owner's identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Medical Informatics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

Managing data transfer and privacy via a multi-channel transfer of information is provided. A query is received from a client device, the query indicating an access identifier corresponding to an entity for which data is stored. A consented data pool is accessed to identify a random value corresponding to the access identifier. A hash value is computed using a combination of both the access identifier and the random value. An anonymous data pool of stored data is queried to identify results from the stored data tagged with the hash value. The results are returned to the client device responsive to the query.

Description

    TECHNICAL FIELD
  • Aspects of the disclosure relate to the managing of data transfer and privacy consent levels using multiple channels of communication and privacy constraints.
    • BACKGROUND
  • Personally-identifiable information (PII) includes many forms of information that could identify a human being. PII may include textual information such as names, addresses, and birth dates. PII may include other information as well, such as photographs of people, house addresses, or vehicle license plates. Data analytics may require the use of large sets of collected data. These data sets may include PII.
    • SUMMARY
  • In one or more illustrative examples, a system for managing data transfer and privacy via a multi-channel transfer of information is provided. The system includes one or more data servers, programmed to receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored; access a consented data pool to identify a random value corresponding to the access identifier; compute a hash value using a combination of both the access identifier and the random value; query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and return the results to the client device responsive to the query.
  • In one or more illustrative examples, a method for managing data transfer and privacy via a multi-channel transfer of information is provided. A query is received from a client device, the query indicating an access identifier corresponding to an entity for which data is stored. A consented data pool is accessed to identify a random value corresponding to the access identifier. A hash value is computed using a combination of both the access identifier and the random value. An anonymous data pool of stored data is queried to identify results from the stored data tagged with the hash value. The results are returned to the client device responsive to the query.
  • In one or more illustrative examples, a non-transitory computer-readable medium comprising for managing data transfer and privacy via a multi-channel transfer of information that, when executed by one or more data servers, cause the one or more data servers to perform operations including to receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored; access a consented data pool to identify a random value corresponding to the access identifier; compute a hash value using a combination of both the access identifier and the random value; query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and return the results to the client device responsive to the query.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates an example system for managing data transfer and privacy via a multi-channel transfer of information;
  • FIG. 2 illustrates an example data flow using two communications channels;
  • FIG. 3 illustrates an example process for storing vehicle data to the data servers;
  • FIG. 4 illustrates an example process for the access of vehicle data from the data servers;
  • FIG. 5 illustrates an example process for the vehicle sending vehicle data to the data servers for storage;
  • FIG. 6 illustrates an example process for querying the data servers for vehicle data; and
  • FIG. 7 illustrates an example of a computing device for managing data transfer and privacy via a multi-channel transfer of information.
    •  DETAILED DESCRIPTION
  • As required, detailed embodiments of the present invention are disclosed herein; however, it is to be understood that the disclosed embodiments are merely exemplary of the invention that may be embodied in various and alternative forms. The figures are not necessarily to scale; some features may be exaggerated or minimized to show details of particular components. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a representative basis for teaching one skilled in the art to variously employ the present invention.
  • Data may be collected from vehicles or other devices. This data may be collected, anonymized, and transferred to a cloud system. It may be desirable that such data is not tied to the vehicles, the other devices, or users of the vehicles or devices without consent. If a user consents to providing data in exchange for access to certain advanced features, then the anonymous data may be linked to the user via consented data. The user may revoke the consent at any time, and if so, the consented data link to the user should be severed. If consent is not given, the user's identity should not be tracked. Even without the data to link the data to specific users, it may be desirable for some access to be provided to the anonymized data.
  • A communication channel where anonymous data is sent may be different than channels used for the consented data. The anonymized data may also land in a different server than the consented data. Each server may also have different control mechanisms. Therefore, it is desirable that data residing on the anonymized data server cannot, in itself, be linked to a user via the anonymous data pool. As discussed in detail herein, a multi-channel approach may be used to sending anonymized data and linking the data to a consenting user. This allow for the requirements on the channel transmitting anonymized data to avoid the implementation of stringent rules, as the anonymized data cannot be linked to a user via that channel.
  • FIG. 1 illustrates an example system 100 for the managing data transfer and privacy via a multi-channel transfer of information. In such a system, a vehicle 102 (or other entity collecting information) may include one or more data sources 104 (such as sensors or other controllers) to capture vehicle data 106 (or other data). The vehicle 102 may include a storage 108 configured to maintain the vehicle data 106. The vehicle 102 may also include a telematics control unit (TCU) 110 configured to communicate via communications channels 112 over a communications network 114 with one or more data servers 116. The data servers 116 may maintain data pools 118 as well as access identifiers (IDs) 120 to link the vehicle data 106 to specific users. A client device 122 may be used to query the data servers 116 for the vehicle data 106. It should be noted that the system 100 is an example, and systems 100 having more, fewer, or different elements may be used. For instance, while a single vehicle 102 and a single client device 122 is shown, it is contemplated that systems 100 could include many vehicles 102 and/or many client devices 122. As another example, while two data servers 116 are shown, it should be noted that implementations may include just one server, or in other cases many servers for load balancing or other networking purposes. As an even further example, while many examples herein relate to vehicles 102 and vehicle data 106, the vehicles 102 may be other types of entities or devices, and the vehicle data 106 may be other types of data unrelated to vehicles 102.
  • The vehicle 102 may include various types of automobile, crossover utility vehicle (CUV), sport utility vehicle (SUV), truck, recreational vehicle (RV), boat, plane or other mobile machine for transporting people or goods. In many cases, the vehicle 102 may be powered by an internal combustion engine. As another possibility, the vehicle 102 may be a battery electric vehicle (BEV) powered by one or more electric motors. As a further possibility, the vehicle 102 may be a hybrid electric vehicle powered by both an internal combustion engine and one or more electric motors, such as a series hybrid electric vehicle, a parallel hybrid electrical vehicle, or a parallel/series hybrid electric vehicle. As the type and configuration of vehicle 102 may vary, the capabilities of the vehicle 102 may correspondingly vary. As some other possibilities, vehicles 102 may have different capabilities with respect to passenger capacity, towing ability and capacity, and storage volume. The vehicles 102 may be identified by various identifiers, such as vehicle identification numbers (VINs) or globally unique identifiers (GUIDs), as some non-limiting examples.
  • The data sources 104 may include various devices configured to capture vehicle data 106 of the vehicle 102 environment. In an example, the data sources 104 may include visible light cameras or infrared cameras configured to capture still images and/or video data. In another example, the data sources 104 may include sensors configured to determine three-dimensional (3D) information, such as radar sensors or lidar sensors. The vehicle data 106 may be stored to a database, memory, or other storage 108 of the vehicle 102.
  • In some instances, the data sources 104 may be configured to capture vehicle data 106 of the surroundings of the vehicle 102. For instance, the data sources 104 may be configured to generate vehicle data 106 of the roadway, of other vehicles 102, of pedestrians, or of obstacles. This vehicle data 106 may be useful for driver assistance system, for autonomous driving systems, for a security camera device, for dash camera applications, and/or for recording driving data for recreation (e.g., track days). However, the capture of such vehicle data 106 may involve the capture of PII. For instance, license plates of other vehicles may be captured in the vehicle data 106. Faces of pedestrians may be captured in the vehicle data 106 as another example.
  • Some data sources 104 may additionally or alternately be configured to capture vehicle data 106 vehicle data 106 inside of the vehicle 102, such as of the vehicle 102 cabin. This vehicle data 106 may be useful for applications such as driver awareness verification, vehicle occupancy detection, incident analysis, video conference, or to ensure that infants or belongings are not left behind in the vehicle 102.
  • The TCU 110 may be configured to provide telematics services to the vehicle 102. These services may include, as some non-limiting possibilities, navigation, turn-by-turn directions, vehicle health reports, local business search, accident reporting, and hands-free calling. The TCU 110 may accordingly be configured to utilize a transceiver to communicate with a communications network 114 over one or more communications channels 112.
  • The communications network 114 may provide communications services, such as packet-switched network services (e.g., Internet access, voice over Internet Protocol (VoIP) communication services), to devices connected to the communications network 114. An example of a communications network 114 is a cellular telephone network. For instance, the TCU 110 may access the cellular network via connection to one or more cellular towers. To facilitate the communications over the communications network 114, the TCU 110 may be associated with unique device identifiers (e.g., mobile device numbers (MDNs), Internet protocol (IP) addresses, etc.) to identify the communications of the TCU 110 on the communications network 114 as being associated with the vehicle 102.
  • The data servers 116 may be computing devices configured to communicate with the vehicles 102 over the communications network 114. The data servers 116 may be configured to receive vehicle data 106 from the vehicles 102, as well as in some cases to maintain access IDs 120 that allow the client devices 122 to access identity information corresponding to the vehicle data 106. As a specific example, an anonymous data server 116A may maintain an anonymous data pool 118A. The anonymous data pool 118A may store vehicle data 106 that is anonymous, regardless of whether the user has consented to data collection. A consented data server 116B may maintain a consented data pool 118B of access IDs 120 for accessing identity information of users corresponding to the vehicle data 106 in the consented data pool 118B.
  • A first communication channel 112A may be used to communicate anonymous vehicle data 106 with the anonymous data server 116A. A second communication channel 112B may be used to communicate consented vehicle data 106 and access IDs 120 with the consented data server 116B.
  • The access IDs 120 may be identifiers of the entities from which the data is stored. As one non-limiting example, the access IDs 120 may be VINs or GUIDs corresponding to the vehicles 102 providing the vehicle data 106. It should be noted, however, that the access IDs 120 are not limited to VINs or GUIDs and may be any other unique identifier of a vehicle 102 or other device.
  • The access IDs 120 may be configured to allow users to have access to different levels of information included within the consented data pool 118B. For instance, a first access ID 120 may allow the client device 122 to have access to identity information for a first user but not other users in the consented data pool 118B, while a second access ID 120 may allow the user to have access to identity information for a second user in the consented data pool 118B.
  • FIG. 2 illustrates an example data flow 200 using two communications channels 112. The first communication channel 112A may be used to send anonymous vehicle data 106 to the anonymous data server 116A. The second communication channel 112B may be used to send user-identifiable vehicle data 106 to the consented data server 116B.
  • The vehicle 102 may generate a random number (referred to herein as R). The random number R may be a number of length significant enough to make guessing impractical but short enough to allow for efficient data storage, such as 32 bits, 64 bits, 128 bits, 256 bits, etc. The vehicle 102 may generate the value of R responsive to various trigger criteria. For instance, the vehicle 102 may generate a new value for R responsive to the vehicle 102 entering a motive mode where the vehicle 102 is mobile (e.g., ignition on). In other examples, the vehicle 102 may generate a new value for R based on time-specific criteria, such as daily or weekly.
  • In some examples, the data servers 116 may send information to the vehicle 102 to aid in random number generation at the vehicle 102. This may be done, for example, to ensure the vehicle 102 has adequate entropy to generate a suitably random value for R. To ensure uniqueness of R, in some examples, the data servers 116 may assign the vehicle 102 a set of random numbers R which the data servers 116 determine to be unique to the vehicle 102. In another example, the data servers 116 may provide a seed to be used in in a pseudorandom number generation algorithm on the vehicle 102 to ensure that R is unique to the vehicle 102.
  • If a user of the vehicle 102 has given consent to data collection, then the vehicle 102 may generate the new value of R. If, however, the user of the vehicle 102 has not given consent (or has revoked consent), then the vehicle 102 may utilize a predefined value of R that signifies no consent. As one example, a value of zero may be used for the purpose of signifying a lack of consent.
  • The vehicle 102 may be configured to send vehicle data 106 to the data servers 116. Responsive to vehicle data 106 being available to send to the data servers 116, the vehicle 102 may determine whether consent is provided for the sharing of identifiable information of the user. If consent has been provided, then the vehicle data 106 is tagged with a value that provides information with respect to the origin of the data. In one example, this tagged value may be a hash of the random value R and the access ID 120 (e.g., VIN of the vehicle 102, a GUID corresponding to the vehicle 102, etc.). If consent has not been provided, then the vehicle data 106 is tagged with the predefined value of R that signifies no consent (e.g., zero). The hash algorithm may be any of various typically one-way cryptographic hash functions that receive information and generate a data element of generally predefined size. Example hashing algorithms may include, MD5, SHA-1, SHA-2, NTLM, and LANMAN, as some non-limiting possibilities.
  • Through the first communication channel 112A, the vehicle data 106 and the hash of R and the access ID 120 may be sent to the anonymous data server 116A. Through the second communication channel 112B, the R and the access ID 120 may be sent to the consented data server 116B.
  • The consented data server 116B, responsive to receiving a R that signifies consent and ID, may compute the hash of R and the access ID 120. This may be the same hash that is executed on the vehicle 102 for tagging of the vehicle data 106 that is sent to the anonymous data server 116A. The consented data server 116B may utilize this hash to query the anonymous data server 116A for matching vehicle data 106.
  • Thus, while stored to the anonymous data server 116A the vehicle data 106 may remain anonymous. However, if R signifies consent and the access ID 120 is known, then the vehicle data 106 can be linked to a specific user through use of the services of the consented data server 116B. In some examples, if this is the case the vehicle data 106 may be captured by the consented data server 116B for storage in the consented data pool 118B. In other examples, the vehicle data 106 may be pulled from the anonymous data pool 118A as requested by client devices 122 and may not be maintained to the consented data server 116B.
  • It should be noted that while two communications channels 112 are shown in the data flow 200, in other examples additional communications channels 112 may be used. For instance, different communications channel 112 may can their own unique R values. Hence, different communications channels 112 may utilize different hashes for securing different aspects of vehicle data 106. Yet, these different channels may perform consent differently and may be unable to link data among themselves.
  • If consent is not given, R signifies that lack of consent (e.g., zero). Thus, even if the access ID 120 of the vehicle 102 is tied to R signifying the lack of consent, all vehicles 102 using the data servers 116 that are also non-consenting will also use the same R. In doing so, it may be impossible to link vehicle data 106 to its correct vehicle 102 for vehicle 102 where consent is not given. This is because each vehicle 102 will link to all anonymous vehicle data 106 from all non-consenting vehicles 102.
  • If consent is given, then R is unique. An analyst having access to the anonymous data server 116A may be able to use the client device 122 to access the anonymous data pool 118A. However, by knowing R alone, the analyst is unable to tie the vehicle data 106 stored in the anonymous data pool 118A with the vehicle 102. Moreover, the value of R tied to the vehicle data 106 may change over time as noted above. Therefore, it is not possible for the analyst to identify which vehicle 102 ties to this vehicle data 106.
  • However, if the analyst also has access to the consented data server 116B, then the analyst may be able to retrieve the link between R and the Access ID 120. For instance, the analyst may utilize the Access ID 120 to query for the values of R corresponding to the vehicle 102. By using this additional access ID 120 information, the analyst using the client device 122 may be able to generate or retrieve the hash of R and Access ID 120 corresponding to the vehicle 102, and use this value to query the vehicle data 106 for data specific to the vehicle 102 whose access ID 120 is being used.
  • Moreover, the link between vehicle data 106 and a vehicle 102 may be severed if consent is revoked. For instance, deleting user information may be as simple as setting all vehicle data 106 tagged with a hash of R and the access ID 120 to the value of R signifying a lack of consent. This operation may be performed efficiently by the data servers 116 where once complete, it would no longer be possible anymore to identify the vehicle data 106 of the user.
  • FIG. 3 illustrates an example process 300 for storing vehicle data 106 to the data servers 116. In an example, the process 300 may be performed by the anonymous data server 116A and consented data server 116B in the context of the system 100.
  • At operation 302, the data servers 116 send R information to the vehicle 102. In an example, the R information may include a set of random numbers R which the data servers 116 determine to be unique to the vehicle 102. In another example, the R information may include a seed to be used in in a pseudorandom number generation algorithm on the vehicle 102 to ensure that R is unique to the vehicle 102.
  • At operation 304, the data servers 116 receive tagged vehicle data 106 from the vehicle 102. In an example, if the vehicle 102 consents to identifiability of the user's information the tagged vehicle data 106 may be tagged by the vehicle 102 with a hash of R and the access ID 120 of the vehicle. If consent is not given, the tagged vehicle data 106 may be tagged by the vehicle 102 with a hash of the value of R signifying a lack of consent and the access ID 120 of the vehicle. Or, if consent is not given, the tagged vehicle data 106 may be tagged by the vehicle 102 with the value of R signifying a lack of consent and no access ID 120. Regardless, this vehicle data 106 may be received over the communications network 114 via the first communication channel 112A to the anonymous data server 116A.
  • At operation 306, the data servers 116 receive the R and the access ID 120. In an example, if the vehicle 102 consents to identifiability of the user's information, R and the access ID 120 are received over the communications network 114 via the second communication channel 112B to the consented data server 116B.
  • At operation 308, the data servers 116 maintain the received information. For instance, the information at operation 304 is stored to the anonymous data pool 118A and the information received at operation 306 is stored to the consented data pool 118B. After operation 308, the process 300 ends.
  • FIG. 4 illustrates an example process 400 for the access of vehicle data 106 from the data servers 116. In an example, the process 400 may also be performed by the anonymous data server 116A and consented data server 116B in the context of the system 100.
  • At operation 402, the data servers 116 receive a query including the access ID 120 for vehicle data 106. In an example, the data servers 116 may receive the query over the communications network 114 from the client device 122.
  • At operation 404, the data servers 116 query for R. In an example, the data servers 116 may query the consented data pool 118B for the values of R that correspond to the access ID 120.
  • At operation 406, the data servers 116 generate a hash of the access ID 120 received at operation 402 and the R queried at operation 404 received at operation 402. In an example, the hash may be a one-way cryptographic hash algorithm such as one of the examples mentioned above.
  • At operation 408, the data servers 116 queries the data pools 118. In an example, the data servers 116 query the anonymous data pool 118A for the vehicle data 106 tagged with the hash value computed at operation 406.
  • At operation 410, the data servers 116 return the result of the query at operation 408. In an example, the resultant vehicle data 106 is sent to the client device 122 that sent the request received at operation 402. After operation 410, the process 400 ends.
  • FIG. 5 illustrates an example process 500 for the vehicle 102 sending vehicle data 106 to the data servers 116 for storage. In an example, the process 500 may be performed by the vehicle 102 in the context of the system 100.
  • At operation 502, the vehicle 102 receives the R information. In an example, the vehicle 102 may receive the information sent at operation 302 of the process 300.
  • At operation 504, the vehicle 102 generates R. In an example, the vehicle 102 may choose R from a set of R values received at operation 502. In another example, the vehicle 102 may use a seed received at operation 502 to generate one or more values of R using a pseudorandom number generation algorithm on the vehicle 102.
  • At operation 506, the vehicle 102 generate a hash of R and the access ID 120 of the vehicle 102. In an example, the access ID 120 may be stored to the vehicle 102 and retrieved, e.g., as communicated over a vehicle bus, stored to a memory of the TCU 110, etc. The hash may be generated using the same approach as done in operation 406 of the process 400.
  • At operation 508, the vehicle 102 tags vehicle data 106 with the hash generated at operation 506. In one example, the vehicle 102 may apply the hash as metadata to the vehicle data 106.
  • At operation 510, the vehicle 102 sends the tagged vehicle 102 to the data servers 116. This data may be sent by the TCU 110 of the vehicle 102 to the anonymous data server 116A via the first communication channel 112A over the communications network 114 as discussed at operation 304 of the process 300.
  • At operation 512, the vehicle 102 sends the consented information to the data servers 116. This information may be sent by the TCU 110 of the vehicle 102 to the consented data server 116B via second communication channel 112B over the communications network 114 as discussed at operation 306 of the process 300. After operation 512, the process 500 ends.
  • FIG. 6 illustrates an example process 600 for querying the data servers 116 for vehicle data 106. In an example, the process 600 may be performed by the client device 122 of the system 100.
  • At operation 602, the client device 122 sends a query to the data servers 116. In an example, the query may include an indication of an access ID 120 specified by an analyst accessing the client device 122. The query may be received by the data servers 116 as discussed in operation 402 of the process 400.
  • At operation 604, the client device 122 receives the result of the query. The query may be sent from the data servers 116 and received to the client device 122 as discussed in operation 410 of the process 400. After operation 604, the process 600 ends.
  • FIG. 7 illustrates an example 700 of a computing device 702 for managing data transfer and privacy via a multi-channel transfer of information. Referring to FIG. 7 , and with reference to FIGS. 1-6 , the TCU 110, data servers 116, and client devices 122 may be examples of such computing devices 702. As shown, the computing device 702 includes a processor 704 that is operatively connected to a storage 706, a network device 708, an output device 710, and an input device 712. It should be noted that this is merely an example, and computing devices 702 with more, fewer, or different components may be used.
  • The processor 704 may include one or more integrated circuits that implement the functionality of a central processing unit (CPU) and/or graphics processing unit (GPU). In some examples, the processors 704 are a system on a chip (SoC) that integrates the functionality of the CPU and GPU. The SoC may optionally include other components such as, for example, the storage 706 and the network device 708 into a single integrated device. In other examples, the CPU and GPU are connected to each other via a peripheral connection device such as peripheral component interconnect (PCI) express or another suitable peripheral data connection. In one example, the CPU is a commercially available central processing device that implements an instruction set such as one of the x86, ARM, Power, or Microprocessor without Interlocked Pipeline Stage (MIPS) instruction set families.
  • Regardless of the specifics, during operation the processor 704 executes stored program instructions that are retrieved from the storage 706. The stored program instructions, accordingly, include software that controls the operation of the processors 704 to perform the operations described herein. The storage 706 may include both non-volatile memory and volatile memory devices. The non-volatile memory includes solid-state memories, such as not and (NAND) flash memory, magnetic and optical storage media, or any other suitable data storage device that retains data when the system is deactivated or loses electrical power. The volatile memory includes static and dynamic random-access memory (RAM) that stores program instructions and data during operation of the system 100.
  • The GPU may include hardware and software for display of at least two-dimensional (2D) and optionally 3D graphics to the output device 710. The output device 710 may include a graphical or visual display device, such as an electronic display screen, projector, printer, or any other suitable device that reproduces a graphical display. As another example, the output device 710 may include an audio device, such as a loudspeaker or headphone. As yet a further example, the output device 710 may include a tactile device, such as a mechanically raiseable device that may, in an example, be configured to display braille or another physical output that may be touched to provide information to a user.
  • The input device 712 may include any of various devices that enable the computing device 702 to receive control input from users. Examples of suitable input devices that receive human interface inputs may include keyboards, mice, trackballs, touchscreens, voice input devices, graphics tablets, and the like.
  • The network devices 708 may each include any of various devices that enable the TCU 110, data server 116, and client devices 122 to send and/or receive data from external devices over networks. Examples of suitable network devices 708 include an Ethernet interface, a Wi-Fi transceiver, a cellular transceiver, or a BLUETOOTH or BLUETOOTH Low Energy (BLE) transceiver, ultra-wideband (UWB) transceiver, or other network adapter or peripheral interconnection device that receives data from another computer or external data storage device, which can be useful for receiving large sets of data in an efficient manner.
  • The processes, methods, or algorithms disclosed herein can be deliverable to/implemented by a processing device, controller, or computer, which can include any existing programmable electronic control unit or dedicated electronic control unit. Similarly, the processes, methods, or algorithms can be stored as data and instructions executable by a controller or computer in many forms including, but not limited to, information permanently stored on non-writable storage media such as read-only memory (ROM) devices and information alterably stored on writeable storage media such as floppy disks, magnetic tapes, compact discs (CDs), RAM devices, and other magnetic and optical media. The processes, methods, or algorithms can also be implemented in a software executable object. Alternatively, the processes, methods, or algorithms can be embodied in whole or in part using suitable hardware components, such as Application Specific Integrated Circuits (ASICs), Field-Programmable Gate Arrays (FPGAs), state machines, controllers or other hardware components or devices, or a combination of hardware, software and firmware components.
  • While exemplary embodiments are described above, it is not intended that these embodiments describe all possible forms encompassed by the claims. The words used in the specification are words of description rather than limitation, and it is understood that various changes can be made without departing from the spirit and scope of the disclosure. As previously described, the features of various embodiments can be combined to form further embodiments of the invention that may not be explicitly described or illustrated. While various embodiments could have been described as providing advantages or being preferred over other embodiments or prior art implementations with respect to one or more desired characteristics, those of ordinary skill in the art recognize that one or more features or characteristics can be compromised to achieve desired overall system attributes, which depend on the specific application and implementation. These attributes can include, but are not limited to cost, strength, durability, life cycle cost, marketability, appearance, packaging, size, serviceability, weight, manufacturability, ease of assembly, etc. As such, to the extent any embodiments are described as less desirable than other embodiments or prior art implementations with respect to one or more characteristics, these embodiments are not outside the scope of the disclosure and can be desirable for particular applications.

Claims (20)

What is claimed is:
1. A system for managing data transfer and privacy via a multi-channel transfer of information, comprising:
one or more data servers, programmed to
receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
access a consented data pool to identify a random value corresponding to the access identifier;
compute a hash value using a combination of both the access identifier and the random value;
query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
return the results to the client device responsive to the query.
2. The system of claim 1, wherein the one or more data servers are further programmed to:
receive, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receive, via a second communication channel, the access identifier and the random value;
maintain the anonymous data in the anonymous data pool; and
maintain the access identifier and the random value in the consented data pool.
3. The system of claim 1, wherein the one or more data servers are further programmed to untag the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
4. The system of claim 1, wherein the one or more data servers are further programmed to send a set of random values to the entity, wherein the random value is one of the set of random values.
5. The system of claim 1, wherein the one or more data servers are further programmed to send a set of random values to the entity, wherein the random value is one of the set of random values.
6. The system of claim 1, wherein the entity is a vehicle.
7. The system of claim 1, wherein the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
8. A method for managing data transfer and privacy via a multi-channel transfer of information, comprising:
receiving a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
accessing a consented data pool to identify a random value corresponding to the access identifier;
computing a hash value using a combination of both the access identifier and the random value;
querying an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
returning the results to the client device responsive to the query.
9. The method of claim 8, further comprising:
receiving, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receiving, via a second communication channel, the access identifier and the random value;
maintaining the anonymous data in the anonymous data pool; and
maintaining the access identifier and the random value in the consented data pool.
10. The method of claim 8, further comprising untagging the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
11. The method of claim 8, further comprising sending a set of random values to the entity, wherein the random value is one of the set of random values.
12. The method of claim 8, further comprising sending a set of random values to the entity, wherein the random value is one of the set of random values.
13. The method of claim 8, wherein the entity is a vehicle.
14. The method of claim 8, wherein the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
15. A non-transitory computer-readable medium comprising for managing data transfer and privacy via a multi-channel transfer of information that, when executed by one or more data servers, cause the one or more data servers to perform operations including to:
receive a query from a client device, the query indicating an access identifier corresponding to an entity for which data is stored;
access a consented data pool to identify a random value corresponding to the access identifier;
compute a hash value using a combination of both the access identifier and the random value;
query an anonymous data pool of stored data to identify results from the stored data tagged with the hash value; and
return the results to the client device responsive to the query.
16. The medium of claim 15, further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to:
receive, via a first communication channel, anonymous data from the entity, the anonymous data being tagged with the hash value of both the access identifier corresponding to the entity and the random value;
receive, via a second communication channel, the access identifier and the random value;
maintain the anonymous data in the anonymous data pool; and
maintain the access identifier and the random value in the consented data pool.
17. The medium of claim 15, further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to untag the hash value from the anonymous data pool, such that the anonymous data pool is no longer linked to the access identifier and the random value.
18. The medium of claim 15, further comprising further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to send a set of random values to the entity, wherein the random value is one of the set of random values.
19. The medium of claim 15, further comprising further comprising instructions that, when executed by one or more data servers, cause the one or more data servers to perform operations including to send a set of random values to the entity, wherein the random value is one of the set of random values.
20. The medium of claim 15, wherein the entity is a vehicle and the access identifier is a vehicle identification number (VIN) or a globally unique identifier (GUID).
US17/545,372 2021-12-08 2021-12-08 Privacy aware multi channel data transfer Pending US20230177202A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US17/545,372 US20230177202A1 (en) 2021-12-08 2021-12-08 Privacy aware multi channel data transfer
CN202211509911.8A CN116318774A (en) 2021-12-08 2022-11-29 Privacy aware multi-channel data transfer
DE102022131816.8A DE102022131816A1 (en) 2021-12-08 2022-11-30 DATA PROTECTION-AWARE MULTI-CHANNEL DATA TRANSMISSION

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US17/545,372 US20230177202A1 (en) 2021-12-08 2021-12-08 Privacy aware multi channel data transfer

Publications (1)

Publication Number Publication Date
US20230177202A1 true US20230177202A1 (en) 2023-06-08

Family

ID=86498557

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/545,372 Pending US20230177202A1 (en) 2021-12-08 2021-12-08 Privacy aware multi channel data transfer

Country Status (3)

Country Link
US (1) US20230177202A1 (en)
CN (1) CN116318774A (en)
DE (1) DE102022131816A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110276804A1 (en) * 2009-01-16 2011-11-10 Panasonic Corporation Server authentication method and client terminal
US20120087494A1 (en) * 2009-03-20 2012-04-12 Compugroup Holding Ag Method for providing cryptographical key pairs
US20200218729A1 (en) * 2019-01-09 2020-07-09 Hyundai Motor Company Method for Collecting and Managing Event Data of a Vehicle
US20200311357A1 (en) * 2019-03-27 2020-10-01 Oki Data Corporation Authentication processing system, authentication method and image processing apparatus
US20210019806A1 (en) * 2019-07-15 2021-01-21 Amadeus S.A.S. Search-query redirection
US20220222233A1 (en) * 2021-01-13 2022-07-14 Bigid Inc Clustering of structured and semi-structured data

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110276804A1 (en) * 2009-01-16 2011-11-10 Panasonic Corporation Server authentication method and client terminal
US20120087494A1 (en) * 2009-03-20 2012-04-12 Compugroup Holding Ag Method for providing cryptographical key pairs
US20200218729A1 (en) * 2019-01-09 2020-07-09 Hyundai Motor Company Method for Collecting and Managing Event Data of a Vehicle
US20200311357A1 (en) * 2019-03-27 2020-10-01 Oki Data Corporation Authentication processing system, authentication method and image processing apparatus
US20210019806A1 (en) * 2019-07-15 2021-01-21 Amadeus S.A.S. Search-query redirection
US20220222233A1 (en) * 2021-01-13 2022-07-14 Bigid Inc Clustering of structured and semi-structured data

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Gusikhin et al., Dynamic Cloud-based Vehicle Apps, IN PROCEEDINGS OF THE 4TH INTERNATIONAL CONFERENCE ON VEHICLE TECHNOLOGY AND INTELLIGENT TRANSPORT SYSTEMS, pp. 626–635 (2019) (Year: 2019) *
Makke et al., Connected Vehicle Prognostics Framework for Dynamic Systems, PROCEEDINGS OF THE THIRD INTERNATIONAL SCIENTIFIC CONFERENCE "INTELLIGENT INFORMATION TECHNOLOGIES FOR INDUSTRY," pp. 3–15 (2019) (Year: 2019) *
Yang et al., The Effectiveness of Cloud-based Smart In-vehicle Air Quality Management, IEEE, pp. 325–329 (2016) (Year: 2016) *

Also Published As

Publication number Publication date
DE102022131816A1 (en) 2023-06-15
CN116318774A (en) 2023-06-23

Similar Documents

Publication Publication Date Title
EP3445019B1 (en) Vehicle-based communication method and system
JP2010520540A5 (en)
US9854015B2 (en) Incident data collection for public protection agencies
US20140244312A1 (en) Systems and methods for providing insurance information exchange
TW201227542A (en) System and method for integrating car videos
EP2940601A1 (en) Device information providing system, and device information providing method
US11750383B2 (en) Multi-level access control in sharing of vehicle data with devices
US20230177202A1 (en) Privacy aware multi channel data transfer
JP2024009115A (en) Information provision system
US11265713B2 (en) Validating vehicles traveling within specific regions
US20230276482A1 (en) Resource selection for 5g nr v2x communications
US11626977B2 (en) Out-of-band key splitting and key derivation
US20220355701A1 (en) Transport battery health
US10904720B2 (en) Deriving signal location information and removing private information from it
US20200242933A1 (en) Parking management and communication of parking information
WO2021237527A1 (en) Information processing method and apparatus, and device and computer storage medium
US20220318425A1 (en) Occupant feature recognition to ensure privacy consent
US11972015B2 (en) Personally identifiable information removal based on private area logic
US20220382903A1 (en) Personally identifiable information removal based on private area logic
US20240143804A1 (en) Communicating privacy rights pertaining to data captured by a vehicle
US11411766B2 (en) Secure controller area network (CAN) transceiver
US20230382393A1 (en) Property loss prevention
CN115329362A (en) Embedded metadata for implementing data privacy compliance
US11935093B1 (en) Dynamic vehicle tags
TW201409263A (en) Method and apparatus of searching and sharing driving record video, computer terminal and computer readable medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: FORD GLOBAL TECHNOLOGIES, LLC, MICHIGAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:MAKKE, OMAR;GUSIKHIN, OLEG Y.;TONSHAL, BASAVARAJ;AND OTHERS;SIGNING DATES FROM 20211123 TO 20211129;REEL/FRAME:058339/0538

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED